Two-step verification (2SV) is a login feature available on many online accounts today. It provides an additional step (but not an added factor) in the authentication process by prompting a user to enter a code sent to their computer or pre-verified device.

2SV therefore has the ability to protect a user’s account in the event that their corresponding password has been compromised.

One of the most important things a user can protect with 2SV is their Google account, which can be used for personal and business email, social networking on Google+, and other purposes. Provided below is a guide on how you can enable this feature on your Google account.

1. Sign into your Google account.

2. At the top right of your browser screen, you will find a circular icon that either contains the first letter of your username or a picture of yourself. Click on that icon.

3. A profile card containing your username, your full Google email, and a number of buttons will load beneath the icon. Click on the blue button labeled “My Account.”

4. A new tab will load that brings you to the home page for “My Account.” Scroll down on that page and click on the “Sign-in & security” setting.

5. The Google Sign-in & security page will load up. You can use this page to manage the security settings of your account, including setting up a recovery email and phone, changing your password, and conducting a security checkup of your account. You can also set up 2SV here.

Scroll down the page. Under the “Signing in to Google” sub-heading, you will find a box entitled “Password & sign-in method.” In that box, click on “2-Step Verification.” (NOTE: This feature should be labeled “Off” if you have not already enabled 2SV on your account.)

6. On the right-hand sign of the “Signing in with 2-step verification” page that loads up, you will see a box that includes a blue button labeled “Start setup »”. Click on that button.

7. At this point, Google will likely prompt you to resubmit your login credentials. Enter your password and click the button “Sign in.”

8. Enter your phone number into the available text field and click on one of the radio buttons to indicate whether you want to receive the verification codes via SMS text message or via call. Once Google has verified that you have entered your mobile phone number correctly (i.e. in the format (222) 555-5555), a blue button labeled “Send code” will become clickable at the bottom of your screen. Click that button.

9. A page will load saying that Google has sent you a code. You should receive a code from Google in the next few seconds either via SMS text message or call. Once you have received the six-digit code, enter it into the available text field and press the blue button “Verify.”

10. Next, you will be asked whether Google should trust your computer. This is a setting that allows you to elevate the privilege status of your computer, tablet, or mobile phone so that you don’t have to enter in verification codes when logging into your Google account on that device. A clickable box will appear that will enable you to check off whether you want to trust the device. Check the box ONLY if the device belongs to you and it is not a public device or computer. When you are done, click the blue button labeled “Next.”

12. And you’re done! You will be redirected to a page where you can manage the settings of your two-step verification protection feature. On this page, you can edit your pre-verified phone number, create app-specific passwords, manage your registered (i.e. trusted) computers, or even designate a security key if you are using Google’s Chrome browser. (NOTE: Now that you have set up 2SV on your account, a boxed feature to the right of your screen will list the feature as “On.”)

You can also set up a back-up phone and print out or save backup codes that allow you to access your account in the event that you lose your device.

It is STRONGLY recommended that you set up at least one of these two backup settings.

13. Now whenever you sign into your Google account, you will see this screen after you enter in your password.

Simply enter in the code once you receive it via SMS text message or call. If the code is correct, you will automatically be directed to your account.

Now that you have 2SV all set up on your Google account, it’s important to note that there are other ways you can receive a verification code. I discuss one such method, the Google Authenticator app, in a separate article.

6 Responses

Something not mentioned, but much more secure, is the FIDOU2F YubiKey. It protects your account against “password theft, phishing, hacking, and keylogging scams” and has been found to “harden security, improve user satisfaction, and cut support costs.”

If you try to log into a fake Gmail website the YubiKey will detect this and refuse to authenticate whereas if you use a one-time code a fake Gmail site will gladly take it and pass the details onto hackers.

The devices cost £12.99 and they’re virtually indestructible. There is a more expensive device available which is compatible with more online services.

Obviously if you can’t afford one, or don’t want to use one, then activate 2SV any way as it will provide much needed additional security. But remember that 2SV doesn’t make your account immune to being hacked.

Also, never, ever, give your 2SV one-time code to anybody and make sure that the device you receive them on is secure.

It would help if the Google account setup actually worked. I just tried it. It suggested I create an app password for Mail on my phone. I created one but this password wasn’t accepted on my phone. Instead I put in my normal password and after text verification it accepted my normal password. It’s one thing to make things secure by creating a small amount of complexity but when things don’t work it completely turns off users who want to keep things as simple as possible.

The nice thing about Google’s 2SV is that you can set up multiple backup second verification elements (this also goes for cases if you can’t log in to your Google account and need a password reset). Let’s say I use my mobile number for SMS verification but forget to update it in my Google account if I change my mobile number (out of luck if that is your only one and you will be locked out but.…). As long as I have other verification elements such as the Authenticator app, alternate email(s), alternate number(s) I won’t be locked out. And I do have these for my Google account. Also, this is the case for Microsoft accounts like outlook.com - in fact it seems that Microsoft might have better/more options than Google for their 2SV (which are also used for password reset verifications).

What I am nervous about is using 2SV for Internet accounts that only allow one option (Namely one mobile SMS number). Godaddy has it but you can (so far, it seems) only use one number for mobile SMS. I set this up for my Godaddy account but soon turned it back off after considering the potential problem mentioned above. After that I expressed my concern to Godaddy constructively and the person I talked to understood. I hope they improve on that.

2SV is very important. But there need to be some redundancies to avoid the danger of being locked out the way Google and Microsoft offers.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!